CVE-2026-32286 — Denial of service in github.com/jackc/pgproto3/v2

Description

The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.

How to fix CVE-2026-32286

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed
—no fix listed
—no fix listed

Is CVE-2026-32286 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0
>= 2.0.0, <= 2.3.3
>= 2.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (9)

ADVISORYgithub.com/advisories/GHSA-jqcq-xjh3-6g23
ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-32286
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-32286
PATCHgithub.com/jackc/pgproto3
WEB